Hi, I'm just starting to watch your video and Wow! It's pure gold. Thank you so much for the time you spent creating it. I'm going to watch it all the way through because I know I'm going to learn a lot. Thanks again!!
Mano, ja que eu vi que tu é BR no github, vou falar no bom e velho português mesmo. Simplesmente insano teu conteúdo, tava procurando um videozinho simples pra ver a sintaxe do express (venho do Flask), acabei ficando o video todo pela aula de ENGENHARIA DE SOFTWARE. Insano um conteúdo PREMIUM desse ainda não ser tão conhecido, dá pra ver que é dev raiz e não dev copia e cola vendedor de curso. FODA.
Excelente vídeo, meu amigo! Didático e direto ao ponto. Tirou-me algumas grande dúvidas que eu possuía sobre o mecanismo de Refresh Token. Muito obrigado!
Thank you very much. Very nice explanation. I have subscribed the channel as well. Please make more content and try to cover it up fully. Whichever topic you teach, I will always like to watch, even if i know the same.
@@manfraio your contents are too different, in details and excellent. But there are very less content on web on backend ( at least of your quality). Can you please make contents on how we can make a platform, which can scale to millions?
Could you please create a full-stack project using modern popular tech? I truly appreciate the time and effort you've invested in creating such amazing videos.
Thank you for your comment. For next year we’ll have full stack videos with react and react native as well. We’ll also have a website with templates that we can use for the frontend. Stay tuned my friend.
@manfraio Thanks a lot! Access and refresh tokens help in preventing replay attacks. Ideally, blacklisting both will prevent an attacker from using a sniffed AT or RT to gain access to the system when the user is logged out AND the token is not yet expired. (Side Note: in case the user is already logged in and the hacker was able to obtain his AT or RT and use it; this can be detected from the list of concurrent sessions of that user then the system can take actions accordingly; maybe block the user's account or log them out "both"...etc). However, it creates an overhead on the backend server and DB due to the logout-login pattern of many users. That is when many users log out (blacklist each AT and RT) then log in (create new AT and RT) then logout (blacklist newly created AT and RT) and so on. On the DB side, a "clean-up" job could remove expired AT and RT. Therefore, I think the meet-me-in-the-middle solution is to delete the RT and blacklist AT until it expires then the system (e.g DB job) can safely delete it. Much appreciated!
I don’t use many extensions: JavaScript Snippets, Live Server, one for Markdown Preview, DotEnv support, EJS language support, Color Hightlight (for css colors)
Great Video! Just a question here; why Blacklist AT and delete RT? why not delete both tokens? why not delete AT and blacklist RT? why not blacklist both tokens?
Thank you for the comment. The AT we’re not storing anywhere. Just sending directly on the response. To invalidate the AT then we need to store somewhere to check if that AT is invalid (in case the user already logged out). The RT we are storing on the DB. So in that case we need to delete. You could store both the AT and RT on the database as well, and create a boolean flag to invalidate the AT. It all depends on the way you want to work.
@@manfraio Thanks a lot! Access and refresh tokens help in preventing replay attacks. Ideally, blacklisting both will prevent an attacker from using a sniffed AT or RT to gain access to the system when the user is logged out AND the token is not yet expired. (Side Note: in case the user is already logged in and the hacker was able to obtain his AT or RT and use it; this can be detected from the list of concurrent sessions of that user then the system can take actions accordingly; maybe block the user's account or log out "both"). However, it creates an overhead on the backend server and DB due to the logout-login pattern of many users. That is when many users log out (blacklist each AT and RT) then log in (create new AT and RT) then logout (blacklist newly created AT and RT) and so on. On the DB side, a "clean-up" job could remove expired AT and RT. Therefore, I think the meet-me-in-the-middle solution is to delete the RT (since there is nothing to compare against between user's RT AND server's RT; deleted one) and blacklist AT until it expires then the system (e.g DB job) can safely delete it. Much appreciated!
@@manfraio Thanks a lot! Access and refresh tokens help in preventing replay attacks. Ideally, blacklisting both will prevent an attacker from using a sniffed AT or RT to gain access to the system when the user is logged out AND the token is not yet expired. (Side Note: in case the user is already logged in and the hacker was able to obtain his AT or RT and use it; this can be detected from the list of concurrent sessions of that user then the system can take actions accordingly; maybe block the user's account or log them out "both"). However, it creates an overhead on the backend server and DB due to the logout-login pattern of many users. That is when many users log out (blacklist each AT and RT) then log in (create new AT and RT) then logout (blacklist newly created AT and RT) and so on. On the DB side, a "clean-up" job could remove expired AT and RT. Therefore, I think the meet-me-in-the-middle solution is to delete the RT and blacklist AT until it expires then the system (e.g DB job) can safely delete it. Much appreciated!
@@manfraio Thanks a lot! Access and refresh tokens help in preventing replay attacks. Ideally, blacklisting both will prevent an attacker from using a sniffed AT or RT to gain access to the system when the user is logged out AND the token is not yet expired. (Side Note: in case the user is already logged in and the hacker was able to obtain his AT or RT and use it; this can be detected from the list of concurrent sessions of that user then the system can take actions accordingly; maybe block the user's account or log them out "both"...etc). However, it creates an overhead on the backend server and DB due to the logout-login pattern of many users. That is when many users log out (blacklist each AT and RT) then log in (create new AT and RT) then logout (blacklist newly created AT and RT) and so on. On the DB side, a "clean-up" job could remove expired AT and RT. Therefore, I think the meet-me-in-the-middle solution is to delete the RT and blacklist AT until it expires then the system (e.g DB job) can safely delete it. Much appreciated!
@@manfraio Thanks a lot! Access and refresh tokens help in preventing replay attacks. Ideally, blacklisting both will prevent an attacker from using a sniffed AT or RT to gain access to the system when the user is logged out AND the token is not yet expired. (Side Note: in case the user is already logged in and the hacker was able to obtain his AT or RT and use it; this can be detected from the list of concurrent sessions of that user then the system can take actions accordingly; maybe block the user's account or log them out "both"...etc). However, it creates an overhead on the backend server and DB due to the logout-login pattern of many users. That is when many users log out (blacklist each AT and RT) then log in (create new AT and RT) then logout (blacklist newly created AT and RT) and so on. On the DB side, a "clean-up" job could remove expired AT and RT. Therefore, I think the meet-me-in-the-middle solution is to delete the RT and blacklist AT until it expires then the system (e.g DB job) can safely delete it. Much appreciated!
Hi Bro . Where can i store Refresh token secret for each user in real world Web application . Since access token is temporary ,so i wouldn't like to store it anywhere . But i am thinking refresh token secret . Plz tell me what can I do
Sure, you can store the refresh token in a DB, inside a refresh tokens table (make sure to store the userId as well) or directly inside the user’s table.
16:36 Register Route
29:05 Login Route
33:19 jwt
The best explanation for JWT authentication for an API. Thanks a lot !😁
Thank you🤜🏻🤛🏻
Hi, I'm just starting to watch your video and Wow! It's pure gold. Thank you so much for the time you spent creating it. I'm going to watch it all the way through because I know I'm going to learn a lot. Thanks again!!
Thank you very much my friend. 🤜🏻🤛🏻
Mano, ja que eu vi que tu é BR no github, vou falar no bom e velho português mesmo. Simplesmente insano teu conteúdo, tava procurando um videozinho simples pra ver a sintaxe do express (venho do Flask), acabei ficando o video todo pela aula de ENGENHARIA DE SOFTWARE. Insano um conteúdo PREMIUM desse ainda não ser tão conhecido, dá pra ver que é dev raiz e não dev copia e cola vendedor de curso. FODA.
Opa Huan, muito obrigado pelo comentário. Fico feliz que tenha gostado do conteúdo. Abraço
Your explanations are very clear, and the examples are great to follow. Thanks for the videos!
Thank you🤜🏻🤛🏻
Excelente vídeo, meu amigo! Didático e direto ao ponto. Tirou-me algumas grande dúvidas que eu possuía sobre o mecanismo de Refresh Token.
Muito obrigado!
Fico feliz por ter ajudado. Grande abraço.
Keep it up man!!! Great channel. Thank you
WoW! thank you so much for putting all this together, very professional.
Thank you🤜🏻🤛🏻
Thank you very much.
Very nice explanation.
I have subscribed the channel as well.
Please make more content and try to cover it up fully.
Whichever topic you teach, I will always like to watch, even if i know the same.
Thank you my friend🤜🏻🤛🏻
Nicely done! This is excellent so far!
Thank you very much for a great tutorial
Nice tutorial can you please show a little integration of this with a simple login form in a frontend
Yes, soon we’ll have more frontend videos as well.
Not more frontend video first, but a simple login form in the frontend for better clarification of integration thanks
@@manfraio your contents are too different, in details and excellent. But there are very less content on web on backend ( at least of your quality). Can you please make contents on how we can make a platform, which can scale to millions?
Very nice explanation.
this is a great tutorial I implemented this on a Nuxt App I was working on. Can you please make a video on how to set reset password endpoint?
Thank you for the comment.
Yes, I’ll do soon a video about the reset password endpoint.
thanks bro! great explanation
Could you please create a full-stack project using modern popular tech? I truly appreciate the time and effort you've invested in creating such amazing videos.
Thank you for your comment. For next year we’ll have full stack videos with react and react native as well.
We’ll also have a website with templates that we can use for the frontend. Stay tuned my friend.
❤❤❤ thanks 👍
This is great
@manfraio Thanks a lot!
Access and refresh tokens help in preventing replay attacks.
Ideally, blacklisting both will prevent an attacker from using a sniffed AT or RT to gain access to the system when the user is logged out AND the token is not yet expired.
(Side Note: in case the user is already logged in and the hacker was able to obtain his AT or RT and use it; this can be detected from the list of concurrent sessions of that user then the system can take actions accordingly; maybe block the user's account or log them out "both"...etc).
However, it creates an overhead on the backend server and DB due to the logout-login pattern of many users.
That is when many users log out (blacklist each AT and RT) then log in (create new AT and RT) then logout (blacklist newly created AT and RT) and so on.
On the DB side, a "clean-up" job could remove expired AT and RT.
Therefore, I think the meet-me-in-the-middle solution is to delete the RT and blacklist AT until it expires then the system (e.g DB job) can safely delete it.
Much appreciated!
Thank you for the comment. You point some interesting facts here👍🏻
Hi Manfra! Would you please make a tutorial on pagination, filtering and sorting of API in Node?
Yes, we’re gonna post soon.
Thank you Sir.
thanks a lot!!
Thx for this video.
What extensions do you use for node js please ?
I don’t use many extensions:
JavaScript Snippets, Live Server, one for Markdown Preview, DotEnv support, EJS language support, Color Hightlight (for css colors)
Great Video!
Just a question here;
why Blacklist AT and delete RT?
why not delete both tokens?
why not delete AT and blacklist RT?
why not blacklist both tokens?
Thank you for the comment.
The AT we’re not storing anywhere. Just sending directly on the response. To invalidate the AT then we need to store somewhere to check if that AT is invalid (in case the user already logged out).
The RT we are storing on the DB. So in that case we need to delete.
You could store both the AT and RT on the database as well, and create a boolean flag to invalidate the AT. It all depends on the way you want to work.
@@manfraio Thanks a lot!
Access and refresh tokens help in preventing replay attacks.
Ideally, blacklisting both will prevent an attacker from using a sniffed AT or RT to gain access to the system when the user is logged out AND the token is not yet expired.
(Side Note: in case the user is already logged in and the hacker was able to obtain his AT or RT and use it; this can be detected from the list of concurrent sessions of that user then the system can take actions accordingly; maybe block the user's account or log out "both").
However, it creates an overhead on the backend server and DB due to the logout-login pattern of many users.
That is when many users log out (blacklist each AT and RT) then log in (create new AT and RT) then logout (blacklist newly created AT and RT) and so on.
On the DB side, a "clean-up" job could remove expired AT and RT.
Therefore, I think the meet-me-in-the-middle solution is to delete the RT (since there is nothing to compare against between user's RT AND server's RT; deleted one) and blacklist AT until it expires then the system (e.g DB job) can safely delete it.
Much appreciated!
@@manfraio Thanks a lot!
Access and refresh tokens help in preventing replay attacks.
Ideally, blacklisting both will prevent an attacker from using a sniffed AT or RT to gain access to the system when the user is logged out AND the token is not yet expired.
(Side Note: in case the user is already logged in and the hacker was able to obtain his AT or RT and use it; this can be detected from the list of concurrent sessions of that user then the system can take actions accordingly; maybe block the user's account or log them out "both").
However, it creates an overhead on the backend server and DB due to the logout-login pattern of many users.
That is when many users log out (blacklist each AT and RT) then log in (create new AT and RT) then logout (blacklist newly created AT and RT) and so on.
On the DB side, a "clean-up" job could remove expired AT and RT.
Therefore, I think the meet-me-in-the-middle solution is to delete the RT and blacklist AT until it expires then the system (e.g DB job) can safely delete it.
Much appreciated!
@@manfraio Thanks a lot!
Access and refresh tokens help in preventing replay attacks.
Ideally, blacklisting both will prevent an attacker from using a sniffed AT or RT to gain access to the system when the user is logged out AND the token is not yet expired.
(Side Note: in case the user is already logged in and the hacker was able to obtain his AT or RT and use it; this can be detected from the list of concurrent sessions of that user then the system can take actions accordingly; maybe block the user's account or log them out "both"...etc).
However, it creates an overhead on the backend server and DB due to the logout-login pattern of many users.
That is when many users log out (blacklist each AT and RT) then log in (create new AT and RT) then logout (blacklist newly created AT and RT) and so on.
On the DB side, a "clean-up" job could remove expired AT and RT.
Therefore, I think the meet-me-in-the-middle solution is to delete the RT and blacklist AT until it expires then the system (e.g DB job) can safely delete it.
Much appreciated!
@@manfraio Thanks a lot!
Access and refresh tokens help in preventing replay attacks.
Ideally, blacklisting both will prevent an attacker from using a sniffed AT or RT to gain access to the system when the user is logged out AND the token is not yet expired.
(Side Note: in case the user is already logged in and the hacker was able to obtain his AT or RT and use it; this can be detected from the list of concurrent sessions of that user then the system can take actions accordingly; maybe block the user's account or log them out "both"...etc).
However, it creates an overhead on the backend server and DB due to the logout-login pattern of many users.
That is when many users log out (blacklist each AT and RT) then log in (create new AT and RT) then logout (blacklist newly created AT and RT) and so on.
On the DB side, a "clean-up" job could remove expired AT and RT.
Therefore, I think the meet-me-in-the-middle solution is to delete the RT and blacklist AT until it expires then the system (e.g DB job) can safely delete it.
Much appreciated!
Show a little integration with a simple login form on the frontend please
Yes, there will be a frontend video, using vanilla JavaScript with HTML and CSS consuming this API.
Hi Bro .
Where can i store Refresh token secret for each user in real world Web application .
Since access token is temporary ,so i wouldn't like to store it anywhere .
But i am thinking refresh token secret .
Plz tell me what can I do
Sure, you can store the refresh token in a DB, inside a refresh tokens table (make sure to store the userId as well) or directly inside the user’s table.
Can you please do the next on SSO?
We’ll add videos with SSO in the future. Actually entire projects.
There are just a few other videos on the line.
@@manfraio waiting for all of your videos. Truly awesome.
@blank_bow thank you🤜🏻🤛🏻
Appreciate this, much obliged.
Thanx man